"... We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and second-preimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among ..."

We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and second-preimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concrete-security, provable-security framework.

"... Abstract. In recent years postal revenue collection underwent a major transformation due to widespread transition to digital methods of communication. This transition directly affected not only telecommunications which form an integral part of the postal revenue collection but also, and in a much mo ..."

Abstract. In recent years postal revenue collection underwent a major transformation due to widespread transition to digital methods of communication. This transition directly affected not only telecommunications which form an integral part of the postal revenue collection but also, and in a much more profound way, postage evidencing. Traditional postage evidencing remained unchanged for several dozens years until the introduction of digital printing which drastically changed all its security related aspects and considerations. This paper defines conceptual foundations of the postal revenue collection system (which is simultaneously a payment system for mailers), fundamental requirements imposed by the nature of hardcopy-based communication and suggests what the authors believe to be an optimal solution for public key-based postage evidencing founded on elliptic-curve cryptography.

"... We analyze the security of different versions of the adapted RSA-PSS signature scheme, including schemes with variable salt lengths and message recovery. We also examine a variant with Rabin-Williams (RW) as the underlying verication primitive. Our conclusion is that the security of RSA-PSS and RW-P ..."

We analyze the security of different versions of the adapted RSA-PSS signature scheme, including schemes with variable salt lengths and message recovery. We also examine a variant with Rabin-Williams (RW) as the underlying verication primitive. Our conclusion is that the security of RSA-PSS and RW-PSS in the random oracle model can be tightly related to the hardness of inverting the underlying RSA and RW primitives, at least if the PSS salt length is reasonably large. Our security proofs are based on already existing work by Bellare and Rogaway [3] and by Coron [10], who examined signature schemes based on the original PSS encoding method.

"... Optimal mail certificates, introduced in [11], are efficient types of implicit certificates which offer many advantages over traditional (explicit) certificates. For example, an optimal mail certificate is small enough to fit on a two-dimensional digital postal mark together with a digital signature ..."

Optimal mail certificates, introduced in [11], are efficient types of implicit certificates which offer many advantages over traditional (explicit) certificates. For example, an optimal mail certificate is small enough to fit on a two-dimensional digital postal mark together with a digital signature. This paper defines a general notion of security for implicit certificates, and proves that optimal mail certificates are secure under this definition.

"... Abstract. Since the appearance of public-key cryptography in the Diffie-Hellman seminal paper, many schemes have been proposed, but many have been broken. Indeed, for a long time, the simple fact that a cryptographic algorithm had withstood cryptanalytic attacks for several years was considered as a ..."

Abstract. Since the appearance of public-key cryptography in the Diffie-Hellman seminal paper, many schemes have been proposed, but many have been broken. Indeed, for a long time, the simple fact that a cryptographic algorithm had withstood cryptanalytic attacks for several years was considered as a kind of validation. But some schemes took a long time before being widely studied, and maybe thereafter being broken. A much more convincing line of research has tried to provide “provable ” security for cryptographic protocols, in a complexity theory sense: if one can break the cryptographic protocol, one can efficiently solve the underlying problem. Unfortunately, this initially was a purely theoretical work: very few practical schemes could be proven in this so-called “standard model ” because such a security level rarely meets with efficiency. Ten years ago, Bellare and Rogaway proposed a trade-off to achieve some kind of validation of efficient schemes, by identifying some concrete cryptographic objects with ideal random ones. The most famous identification appeared in the so-called “random-oracle model”. More recently, another direction has been taken to prove the security of efficient schemes in the standard model (without any ideal assumption) by using stronger computational assumptions. In these lectures, we focus on practical asymmetric protocols together with their “reductionist ” security proofs, mainly in the random-oracle model. We cover the two main goals that public-key cryptography is devoted to solve: authentication with digital signatures, and confidentiality with public-key encryption schemes. 1

"... We study how digital signature schemes can generate signatures as short as possible, in particular in the case where partial message recovery is allowed. We give a concrete proposition named OPSSR that achieves the lower bound for message expansion, and give an exact security proof of the scheme ..."

We study how digital signature schemes can generate signatures as short as possible, in particular in the case where partial message recovery is allowed. We give a concrete proposition named OPSSR that achieves the lower bound for message expansion, and give an exact security proof of the scheme in the ideal cipher model. We extend it to the multi-key setting. We also show that this padding can be used for an asymmetric encryption scheme with minimal message expansion.

"... Since the appearance of public-key cryptography in the Diffie-Hellman seminal paper, many schemes have been proposed, but many have been broken. Indeed, for a long time, the simple fact that a cryptographic algorithm had withstood cryptanalytic attacks for several years was considered as a kind of v ..."

Since the appearance of public-key cryptography in the Diffie-Hellman seminal paper, many schemes have been proposed, but many have been broken. Indeed, for a long time, the simple fact that a cryptographic algorithm had withstood cryptanalytic attacks for several years was considered as a kind of validation. But some schemes took a long time before being widely studied, and maybe thereafter being broken. A much more convincing line of research has tried to provide “provable ” security for cryptographic protocols, in a complexity theory sense: if one can break the cryptographic protocol, one can efficiently solve the underlying problem. Unfortunately, this initially was a purely theoretical work: very few practical schemes could be proven in this so-called “standard model ” because such a security level rarely meets with efficiency. Ten years ago, Bellare and Rogaway proposed a trade-off to achieve some kind of validation of efficient schemes, by identifying some concrete cryptographic objects with ideal random ones. The most famous identification appeared in the so-called “randomoracle model”. More recently, another direction has been taken to prove the security of efficient schemes in the standard model (without any ideal assumption) by using stronger computational assumptions. In these lectures, we focus on practical asymmetric protocols together with their “reductionist” security proofs. We cover the two main goals that public-key cryptography is devoted to solve: authentication with digital signatures, and confidentiality with public-key encryption schemes.

...group, is defined by a black-box: a new element necessarily comes from the addition (or the subtraction) of two already known elements. It is by now called the “generic model”. Some more recent works =-=[77, 18]-=- even require several ideal models together to provide some new validations. 1.3 Outline of the Notes In the next section, we explain and motivate more about exact security proofs, and we introduce th...

"... Granboulan [4] proposed the signature scheme in the ideal cipher model named OPSSR that achieves the lower bound for message expansion. In this paper, we propose a scheme which can give the security equivalent to that of OPSSR in the random permutation model that is weaker than the ideal cipher m ..."

Granboulan [4] proposed the signature scheme in the ideal cipher model named OPSSR that achieves the lower bound for message expansion. In this paper, we propose a scheme which can give the security equivalent to that of OPSSR in the random permutation model that is weaker than the ideal cipher model. We also show exact security proof. We extend our scheme to the multi key setting. By the results of this paper, we partially solve the open problems posed by Granboulan.

"... PU Public X PP Restricted to other programme participants (including the Commission services) RE Restricted to a group speci ed by the consortium (including the Commission services) CO Con dential, only for members of the consortium (including the Commission services) Report on Side-channel Aware De ..."

PU Public X PP Restricted to other programme participants (including the Commission services) RE Restricted to a group speci ed by the consortium (including the Commission services) CO Con dential, only for members of the consortium (including the Commission services) Report on Side-channel Aware Design Methods for

...al models that we have discussed. Definition 6 on the other hand is the weakest. It is Definition 7 that has become the de facto definition of security for digital signature schemes in the literature =-=[36, 37, 94, 105, 114]-=-. It is known as existential unforgeability under adaptive chosen message attack. 2.4 Public Key Encryption Schemes As we did for digital signature schemes in Section 2.3, we now present the adversari...

"... We study how digital signature schemes can generate signatures as short as possible, in particular in the case where partial message recovery is allowed. We give a concrete proposition named OPSSR that achieves the lower bound for message expansion, and give an exact security proof of the scheme ..."

We study how digital signature schemes can generate signatures as short as possible, in particular in the case where partial message recovery is allowed. We give a concrete proposition named OPSSR that achieves the lower bound for message expansion, and give an exact security proof of the scheme in the ideal cipher model. We extend it to the multi-key setting. We also show that this padding can be used for an asymmetric encryption scheme with minimal message expansion.